Mobile Device Mismanagement

© 2014 NTT Com Security
Mobile Device Mismanagement
Vulnerabilities in MDM Solutions and their impact
Stephen Breen
06 AUG 2014
Stephen Breen-Public-Approved

Bios
Stephen Breen
• Senior Consultant
Christopher Camejo
• Director of Assessment Services
8/6/14Stephen Breen-Public-Approved 2

Contents
Intro
MDM market
How this started
What we found
What can we do about it
Stephen Breen-Public-Approved 38/6/14

© 2014 NTT Com Security© 2014 NTT Com Security
Intro

Everything increases the potential attack surface – even security products
• Neel Mehta - 2014
• SSL/TLS supposed to protect communication channels
• Vulnerability results in a false sense of security
Heartbleed
• Feng Xue - “Attacking Antivirus” - Black Hat Europe 2008
• Vulnerabilities within AV allow full system compromise
• Write malware that gets into the network through the virus scanner
Antivirus
• Stefan Viehböck - 2013
• Vendor hardcoded root backdoor accounts in firewalls, VPNs, etc.
• Your own security products can be turned against you
Barracuda
• Sebastien Andrivet - “The Security of MDM Systems” - Hack In Paris 2013
• More web interface vulns plus attacks on the device communicationsMDM

MDM market

What is Mobile Device Management?
Mobile devices used
to access corporate
information
Security Software to
manage employee
mobile devices

Deployment Data
No
plans
to
deploy
12%
Don't know
6%
Evaluating
39%
In the
process of
deploying
17%
Deployed
26%
What's the status of mobile device
management software at your company?Approximately 180 million Enterprise BYOD devices
globally
Expected to increase 390 million by 2015.
The U.S. region will lead the market with an
estimated 68 percent of the overall market share.
MDM market will grow 23.3% over the next five
years.
82% of companies surveyed looking into MDM
• Data: InformationWeek 2013 Mobile Device Management and
Security Survey of 307 business technology professionals,
September 2012

Usage data
20%
21%
24%
28%
29%
31%
41%
48%
61%
95%
ERP
Human resources applications
SaaS or cloud business apps
Corporate wiki or social network
CRM
Databases
Corporate File Servers
VPN
Office Applications
Email
Data: InformationWeek 2013 Mobile Device Management and Security Survey of 307
business technology professionals, September 2012
What Company Assets Do You Access Via Mobile Devices?

Products
Top-right quadrant:
0 CVE results
• Doesn’t mean there are no
vulnerabilities
• Could mean nobody is looking
Some products share a
common backend
• They likely share common
vulnerabilities

How this started

The value of a good pen test
Pen testing a client with
MDM deployed
Found default credentials
on MDM console
Found previously unknown
remote code execution in
console
Hooray/uh-oh
Pen testing a client’s mobile
devices with MDM
Simple jailbreak detection
bypass.
Find lots of vulnerabilities – PoC
to compromise all Domain users
plaintext passwords
Hooray/uh-oh

Vendor Relations
Hard to test MDM
• Most vendors don’t give out demo products
• Not much tooling or information available to pen
testers
Findings disclosed to vendors
• Patches have already been issued and will continue
to be issued based on the issues we have identified

What we found
…minus the details

First Glance
• Android’s lack of standard does not imply it’s better, - just product specific vulnerabilities
We focused on iOS MDM because it uses a standard protocol
• Most of the code on the mobile device is part of iOS
• The protocol is standardized but the implementations vary
• The server software is also written by the vendor
iOS enforces an API for MDM
• It’s possible to implement reasonably secure MDM on iOS – the protocol seems solid
Vendor code is where vulnerabilities have slipped in
• More room for the vendors to make mistakes
• Android implementations may be much worse than iOS
Android doesn’t have an MDM API

iOS MDM API Enrollment – How it works
Enrollment is the process by which a device becomes managed
by MDM
iOS Uses 3 distinct Phases for enrollment:
• Authentication – The user authenticates to the MDM server
• Certificate Enrollment – The device and server exchange crypto keys
• Device Configuration – The server applies configuration changes to the device
Typically occurring over HTTP

iOS MDM API Enrollment – Negotiation Issues
Issues:
• Doing enrollment without encrypting communications
• Easily ignored certificate errors
• Predictable tokens
• Tokens remain valid for re-enrollment forever
• Token leakage (external services and improper handling)
Result:
• Compromising tokens results in user impersonation

iOS MDM API Communication – How it works
Apple
MDM Server
I have a message for device X
X

Apple
MDM Server
X
MDM Server has a message for you… (APNS)

Apple
MDM Server
X
You called?

Apple
MDM Server
X
Do stuff and/or take this sensitive data…
• Domain Credentials
• WPA2 PSK
• Configuration settings
• …

iOS MDM API Communication – Commands
Control Device Info Configuration Device -> Server
Lock List Profiles Install Profile Token Update
Clear Passcode Installed Applications Remove Profile Authenticate
Wipe Certificate List Install Application CheckOut
Provisioning Profiles Remove Application Status
Restrictions Settings
Managed Applications Install Provisioning Profile
Security Information Remove Provisioning Profile

iOS MDM API Communications – Negotiation Issues
• Send fake messages on behalf of devices
• DoS MDM service by changing tokens
• Tell server devices don’t want to be enrolled
anymore
• Trick server into issuing wipe commands
• Steal profile data (AD credentials, WPA keys,
etc.)
MDM-
Signature
not available
in some
products
• Can remotely intercept sensitive data going
from the server to the device
• Domain credentials (plaintext?!), WPA2 pre-
shared keys, other sensitive configuration
information…
Payload
encryption
disabled in
some
products

iOS MDM API Communications – Negotiation Issues
• SQLi
• XXE
• We were able to create a BURP
extension to automatically generate
spoofed MDM-Signature headers
Injection
Flaws
• Not all signature validation methods
are created equal
• Some products may not link keys to
users
• Some products may not check
issuing CA
Flawed
Signature
Validation

What does this mean?

For Users:
• “Everybody else is doing it” isn’t a business need.
Don’t deploy anything unless there’s a business need
• When was the last time you had somebody look for zero-day vulnerabilities in a software product
you bought?
Due diligence (e.g. pen testing) of products before you choose and deploy
• Hardened configuration
• Vulnerability management program
• Monitoring logs and alerts for suspicious activity
Proper care and feeding of things you’ve deployed
Everything increases attack surface, even security products

For Users:
• More than vulnerability scanning
• APT are looking for zero-days, you should too
• Keep in mind this all started at a client during a routine pen test
Real pen testing
• Security isn’t about throwing more fancy boxes on the network, those are
just tools
• In order for tools to be effective they need to be deployed appropriately
and have operators who know how to use them (and have the time)
• If you don’t know where your risk is you can’t deploy tools appropriately
Look at risk across the organization

For Product Vendors:
• Everything is webified so your devs better eat/breathe/sleep OWASP
• Pen test your own products (before somebody does it for you)
• Your customers shouldn’t be your QA team
• If your QA team doesn’t know how to find vulnerabilities then find somebody who can
Software Development LifeCycle
• We can reverse-engineer your protocol faster than you wrote it
• So can the bad guys
Don’t rely on security by obscurity
• Certificates, tokens, signatures, and encryption exist for a reason, use them
• If you’re making your own version of any of those: you’re doing it wrong
Authenticate all the things

Q&A
• There are patches for many of these issues but people need
time to apply them
• And some of these issues may still be unpatched
• But we would be happy to pen test your MDM deployment 
No, we won’t name vendors
8/6/14 29Stephen Breen-Public-Approved
Stephen Breen
• Senior Security Consultant
• NTT Com Security
• stephen.breen@nttcomsecurity.com

Mobile Device Mismanagement

More Related Content

What's hot

Similar to Mobile Device Mismanagement

Recently uploaded

Mobile Device Mismanagement